Mobile phone showing Telegram chatbots used in health insurance data leak

India’s Star Health Insurance Data Leaks via Telegram Chatbots

Hackers are leaking sensitive personal – (PII) and protected health information (PHI) from India’s top health insurance company, Star Health and Allied Insurance, via Telegram chatbots.

Active since August 6, 2024, the rogue chatbots allow users to download the leaked health insurance data in various formats, including PDF, according to UK-based cybersecurity researcher Jason Parker.

The data leak comes hot on the heels of France’s arrest of Telegram’s founder Pavel Durov for his alleged failure to stop criminals from abusing one of the world’s largest secure messaging apps.

The 39-year-old Russian-born and French passport holder faces six charges, which critics say are politically motivated for his decision to maintain self-proclaimed political neutrality in the face of a highly turbulent geopolitical climate since Russia’s invasion of Ukraine.

Meanwhile, India’s largest health insurer downplayed the cyber incident by claiming the compromise was not widespread and “sensitive customer data remains secure.”

Telegram chatbots leak over 7 terabytes of Star Health insurance data

The rogue and persistent Telegram chatbots allow users to download small portions of India’s Star Health insurance data for free.

However, xenZen, the threat actor behind India’s Star Health insurance data breach, charges for bulk downloads.

Up to 7.24 terabytes of health insurance data, impacting 31 million customers, is available for download, highlighting the widespread scope of the Star Health and Allied Insurance data leak.

The health insurance data leak exposed the victims’ names, addresses, phone numbers, insurance policy details, government-issued ID numbers, and protected health information, including test results and medical diagnoses.

Such information is highly sought after by cybercriminals, and could irreparably damage the victims and put them at risk of cyber attacks persistently.

Meanwhile, media outlet Reuters has confirmed downloading 1,500 files, some dated as recently as July 2024.

Resurgent Telegram chatbots continue hemorrhaging health insurance data

Concerned messaging app users have reported the malicious Telegram chatbots. In response, the secure messaging platform said it expressly prohibits sharing sensitive personal information and took down the implicated Telegram chatbots.

“The sharing of private information on Telegram is expressly forbidden and is removed whenever it is found,” Telegram said.

In addition, the security- and anonymity-focused messaging platform with over 900 million users says it uses proactive monitoring and AI tools to remove malicious content.

Like Hydra, other malicious Telegram chatbots have emerged in place of those previously removed, highlighting the app’s limitation in moderating user content after sensitive data leaks.

“If this bot gets taken down watch out and another one will be made available in [a] few hours,” the threat actor gloated.

NordVPN’s cybersecurity expert Adrianus Warmenhoven has described Telegram as an “easy-to-use storefront” for cybercriminals to monetize stolen data.

Nevertheless, Indian firms also struggle to keep their customer data safe, according to a study by NordVPN, which listed the country as a top source of personal data traded via Telegram chatbots. Back then, NordVPN found that of the 5 million people whose data was sold on the bot marketplace, 600,000 were Indian.

Star Health says it has reported the insurance data breach to regional and national law enforcement and cybersecurity authorities, including the Tamil Nadu cybercrime department, and India’s Computer Emergency Response Team (CERT-In).

Nevertheless, the $4 billion-valued Indian insurance company has as yet not notified impacted individuals, putting them at serious risk of phishing attacks and extortion.

Additionally, Star Health and Allied Insurance claims that only “a few claims data” was impacted, further downplaying the impact of the health insurance data breach.